Unlocking Global Capital for SMEs Through Asset Tokenization

Small and medium enterprises (SMEs) form the backbone of economies worldwide, driving innovation, employment, and economic growth. Despite their vital role, SMEs often face significant challenges in accessing capital, particularly from traditional financial institutions that impose stringent requirements or favor larger corporations. In this context, asset tokenization the process of converting real-world or financial assets into digital tokens on a blockchain has emerged as a transformative mechanism to unlock new sources of funding. By enabling fractional ownership, improving liquidity, and expanding investor access, asset tokenization offers SMEs an innovative way to raise capital globally. This article explores the mechanics, benefits, challenges, and best practices of leveraging asset tokenization for SME financing.

What is Asset Tokenization?

Asset tokenization is the representation of ownership rights of an underlying real-world or financial asset in the form of digital tokens on a blockchain. These tokens can represent physical assets like real estate, machinery, inventory, or intangible assets such as intellectual property, receivables, or future revenue streams.

Key Features of Tokenized Assets

1. Fractional Ownership: One asset can be divided into multiple tokens, allowing multiple investors to participate in a single investment.
2. Programmable Compliance: Smart contracts can automate regulatory compliance, investor verification, and dividend or interest payments.
3. Transparency and Security: Blockchain records are immutable, providing transparent ownership and transaction history.
4. Global Accessibility: Digital tokens can be transferred across borders, expanding the pool of potential investors.
5. Liquidity: Tokenized assets can be traded on digital exchanges, reducing traditional barriers to entry and exit.

By digitizing assets, SMEs can leverage their existing resources to attract capital without relying solely on loans or equity dilution.

Types of Assets SMEs Can Tokenize

SMEs can leverage a wide variety of assets for tokenization:

1. Equity Tokens: Represent ownership stakes in the company, allowing fractional equity investment from multiple investors.
2. Real Estate Tokens: Convert property or facilities owned by SMEs into tradable tokens to unlock capital tied in real estate.
3. Revenue-Backed Tokens: Represent a claim on a percentage of future revenue or cash flows.
4. Invoice and Receivables Tokenization: SMEs can convert unpaid invoices into tokenized assets, enabling immediate liquidity.
5. Intellectual Property Tokens: Patents, trademarks, or proprietary technology can be tokenized, providing funding without diluting equity.

By strategically selecting the right asset for tokenization, SMEs can optimize both capital inflow and investor appeal.

How Asset Tokenization Facilitates Capital Access for SMEs

Small and medium enterprises (SMEs) often face significant barriers when seeking capital for growth, operational expansion, or modernization. Traditional financing options, such as bank loans or venture capital, are often restrictive, expensive, and slow. Asset tokenization offers an innovative solution by converting tangible and intangible assets into tradable digital tokens using blockchain technology, creating new funding pathways, improving liquidity, and providing access to a global investor base.

Fractional Ownership and Investment Access

Asset tokenization allows SMEs to divide high-value assets into smaller, tradable units, enabling partial monetization without relinquishing full ownership. By issuing tokens representing fractional ownership, businesses can attract retail and institutional investors. For instance, a manufacturing SME could tokenize a production machine valued at $500,000, issuing 5,000 tokens priced at $100 each. Investors worldwide can purchase these tokens, providing liquidity to the SME while retaining partial ownership. Fractionalization lowers entry barriers for investors and diversifies funding sources, reducing dependency on a single investor or lender.

Enhanced Liquidity

Illiquid assets such as machinery, property, or long-term contracts often limit SME financing options. Tokenization converts these assets into digital tokens that can be traded on secondary markets, unlocking liquidity previously unavailable. Investors can buy and sell tokens independently of the SME, creating continuous capital flow and reducing reliance on one-off funding rounds. Improved liquidity allows SMEs to reinvest in research, operations, or strategic expansion while enhancing investor confidence and facilitating future fundraising.

Global Investor Reach

Traditional SME financing is typically constrained by geography, regulatory frameworks, and limited networks. Tokenization removes these boundaries, providing access to a global pool of investors seeking fractionalized, asset-backed opportunities. SMEs in emerging markets, in particular, benefit from international capital that bypasses local scarcity and currency restrictions. Blockchain-based tokenization enables cross-border investment while adhering to regulatory standards, allowing SMEs to secure competitive funding and diversify risk across multiple geographies.

Transparency and Trust

Blockchain technology ensures every transaction, token issuance, and ownership transfer is permanently recorded, enhancing transparency and reducing information asymmetry. Investors can monitor performance, token circulation, and dividend payouts in real-time, which builds confidence in their investment. For SMEs, this transparency strengthens credibility with investors, lenders, and regulators while improving corporate governance. A verifiable record of asset activity mitigates concerns about fraud or mismanagement, making tokenization a reliable tool for sustainable growth.

Cost-Effective Capital Raising

Raising capital through traditional methods often involves intermediaries such as lawyers, underwriters, and brokers, which increases costs and delays funding. Tokenization automates these functions via smart contracts, including dividend distribution, voting rights, and regulatory compliance, reducing administrative overhead. This efficiency enables SMEs to access working capital faster, allocate more funds to operations, and minimize errors. By streamlining fundraising and lowering costs, tokenization enhances financial agility and empowers SMEs to seize timely growth opportunities.

Strategic Steps for SMEs to Leverage Asset Tokenization

1. Identify Suitable Assets

Not all assets are ideal for tokenization. SMEs should identify high-value, illiquid, or revenue-generating assets that can be fractionalized and traded. Examples include commercial real estate, specialized machinery, intellectual property, or trade receivables. A thorough asset assessment helps in selecting candidates with strong investment appeal.

Develop a Tokenization Plan

A comprehensive tokenization plan should outline the type of token (equity, revenue-sharing, utility), tokenomics (supply, allocation, distribution), fundraising objectives, and investor rights. Strategic planning ensures alignment with business goals and investor expectations.

Ensure Legal and Regulatory Compliance

SMEs must engage legal advisors to structure compliant token offerings. This includes drafting smart contract terms, adhering to securities regulations, implementing KYC/AML protocols, and managing cross-border legal requirements. Compliance is essential for investor protection and regulatory approval.

Partner with Technology Providers

Implementing tokenization requires robust blockchain infrastructure. SMEs should collaborate with blockchain developers, tokenization platforms, and digital exchanges to ensure secure token issuance, smart contract execution, and investor onboarding.

Engage Investors and Build Market Confidence

Investor engagement is critical for successful capital raising. SMEs should leverage marketing strategies, investor education, and transparent reporting to build trust. Demonstrating asset value, revenue potential, and governance standards enhances investor confidence and market adoption.

Monitor and Manage Tokenized Assets

Post-issuance, SMEs must manage tokenized assets, facilitate trading, distribute returns, and maintain compliance. Ongoing monitoring ensures liquidity, investor satisfaction, and the long-term success of tokenized offerings.

Use Cases of Asset Tokenization for SMEs

Real Estate Tokenization

SMEs that own commercial or residential properties can tokenize these assets to raise capital without selling the entire property. Fractional ownership allows multiple investors to participate, generating a steady flow of funds while retaining operational control. Real estate tokenization is particularly relevant for SMEs in urban centers or industrial zones seeking expansion funding.

Equipment and Machinery Tokenization

Manufacturing SMEs often require expensive machinery for operations but may lack sufficient working capital. By tokenizing machinery or equipment, these enterprises can raise funds from investors interested in owning a stake in high-value assets. Tokenization also allows SMEs to structure innovative financing models, such as revenue-sharing agreements, which align investor interests with business performance.

Intellectual Property Tokenization

SMEs in technology, media, and biotech sectors possess valuable intellectual property (IP) assets, including patents, trademarks, and copyrights. Tokenizing IP can unlock capital by allowing investors to purchase fractional rights or revenue-sharing tokens linked to the IP’s commercial success. This approach not only provides funding but also incentivizes innovation by creating a market-driven valuation of intellectual property.

Invoice and Trade Finance Tokenization

SMEs involved in international trade often face cash flow constraints due to delayed payments. Tokenizing invoices and trade receivables enables SMEs to sell these assets on a secondary market, accelerating liquidity and reducing financing costs. Investors benefit from predictable returns, while SMEs gain immediate access to funds for operational and expansion needs.

Benefits for Investors

Asset tokenization is equally advantageous for investors. Fractional ownership allows diversification across multiple SMEs and industries. Investors gain access to previously illiquid or geographically restricted opportunities, often with lower minimum investment thresholds. Real-time transparency, automated dividends, and smart contract enforcement enhance security and trust.

By connecting SMEs with a broad investor base, tokenization fosters a more inclusive investment ecosystem that benefits both capital seekers and providers.

Future Outlook

The future of asset tokenization for SMEs is promising. Advances in blockchain infrastructure, regulatory frameworks, and tokenized asset marketplaces are accelerating adoption. Platforms dedicated to SME tokenization are emerging, facilitating compliance, investor onboarding, and secure trading of tokenized assets.

Furthermore, integration with decentralized finance (DeFi) protocols could allow SMEs to leverage tokenized assets as collateral for loans, enabling even more flexible and accessible financing options. As awareness grows and technology matures, asset tokenization has the potential to redefine SME financing on a global scale.

Challenges and Considerations

Despite its potential, SMEs must navigate several challenges:

1. Technological Expertise: Implementing tokenization requires blockchain knowledge and technical infrastructure.
2. Market Volatility: Token values may fluctuate, exposing SMEs and investors to risk.
3. Regulatory Uncertainty: Ambiguous or evolving regulations can delay or complicate fundraising.
4. Investor Education: Many investors may be unfamiliar with digital assets, requiring SMEs to invest in education and awareness initiatives.

By proactively addressing these challenges, SMEs can maximize the benefits of tokenization while mitigating associated risks.

Conclusion

Asset tokenization represents a revolutionary approach to SME financing, unlocking access to capital, liquidity, and global investor networks. By fractionalizing ownership and leveraging blockchain transparency, SMEs can overcome traditional barriers to funding, optimize asset utilization, and secure growth capital efficiently.

While challenges such as regulatory compliance, technical requirements, and market education exist, the potential for global impact is profound. Tokenization not only empowers SMEs to secure funding but also fosters a more inclusive, transparent, and efficient global financial ecosystem. As technology and regulations evolve, asset tokenization may well become a standard tool for SMEs seeking to unlock capital and expand their business horizons worldwide.

---

How Can Asset Tokenization Unlock Capital for Small and Medium Enterprises Globally? was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

Introduction

Imagine you’re cruising down the highway in your brand-new electric car. All of a sudden, the massive multimedia display fills with Doom, the iconic 3D shooter game. It completely replaces the navigation map or the controls menu, and you realize someone is playing it remotely right now. This is not a dream or an overactive imagination – we’ve demonstrated that it’s a perfectly realistic scenario in today’s world.

The internet of things now plays a significant role in the modern world. Not only are smartphones and laptops connected to the network, but also factories, cars, trains, and even airplanes. Most of the time, connectivity is provided via 3G/4G/5G mobile data networks using modems installed in these vehicles and devices. These modems are increasingly integrated into a System-on-Chip (SoC), which uses a Communication Processor (CP) and an Application Processor (AP) to perform multiple functions simultaneously. A general-purpose operating system such as Android can run on the AP, while the CP, which handles communication with the mobile network, typically runs on a dedicated OS. The interaction between the AP, CP, and RAM within the SoC at the microarchitecture level is a “black box” known only to the manufacturer – even though the security of the entire SoC depends on it.

Bypassing 3G/LTE security mechanisms is generally considered a purely academic challenge because a secure communication channel is established when a user device (User Equipment, UE) connects to a cellular base station (Evolved Node B, eNB). Even if someone can bypass its security mechanisms, discover a vulnerability in the modem, and execute their own code on it, this is unlikely to compromise the device’s business logic. This logic (for example, user applications, browser history, calls, and SMS on a smartphone) resides on the AP and is presumably not accessible from the modem.

To find out, if that is true, we conducted a security assessment of a modern SoC, Unisoc UIS7862A, which features an integrated 2G/3G/4G modem. This SoC can be found in various mobile devices by multiple vendors or, more interestingly, in the head units of modern Chinese vehicles, which are becoming increasingly common on the roads. The head unit is one of a car’s key components, and a breach of its information security poses a threat to road safety, as well as the confidentiality of user data.

During our research, we identified several critical vulnerabilities at various levels of the Unisoc UIS7862A modem’s cellular protocol stack. This article discusses a stack-based buffer overflow vulnerability in the 3G RLC protocol implementation (CVE-2024-39432). The vulnerability can be exploited to achieve remote code execution at the early stages of connection, before any protection mechanisms are activated.

Importantly, gaining the ability to execute code on the modem is only the entry point for a complete remote compromise of the entire SoC. Our subsequent efforts were focused on gaining access to the AP. We discovered several ways to do so, including leveraging a hardware vulnerability in the form of a hidden peripheral Direct Memory Access (DMA) device to perform lateral movement within the SoC. This enabled us to install our own patch into the running Android kernel and execute arbitrary code on the AP with the highest privileges. Details are provided in the relevant sections.

Acquiring the modem firmware

The modem at the center of our research was found on the circuit board of the head unit in a Chinese car.

Description of the circuit board components:

Number in the board photo	Component
1	Realtek RTL8761ATV 802.11b/g/n 2.4G controller with wireless LAN (WLAN) and USB interfaces (USB 1.0/1.1/2.0 standards)
2	SPRD UMW2652 BGA WiFi chip
3	55966 TYADZ 21086 chip
4	SPRD SR3595D (Unisoc) radio frequency transceiver
5	Techpoint TP9950 video decoder
6	UNISOC UIS7862A
7	BIWIN BWSRGX32H2A-48G-X internal storage, Package200-FBGA, ROM Type – Discrete, ROM Size – LPDDR4X, 48G
8	SCY E128CYNT2ABE00 EMMC 128G/JEDEC memory card
9	SPREADTRUM UMP510G5 power controller
10	FEI.1s LE330315 USB2.0 shunt chip
11	SCT2432STER synchronous step-down DC-DC converter with internal compensation

Using information about the modem’s hardware, we desoldered and read the embedded multimedia memory card, which contained a complete image of its operating system. We then analyzed the image obtained.

Remote access to the modem (CVE-2024-39431)

The modem under investigation, like any modern modem, implements several protocol stacks: 2G, 3G, and LTE. Clearly, the more protocols a device supports, the more potential entry points (attack vectors) it has. Moreover, the lower in the OSI network model stack a vulnerability sits, the more severe the consequences of its exploitation can be. Therefore, we decided to analyze the data packet fragmentation mechanisms at the data link layer (RLC protocol).

We focused on this protocol because it is used to establish a secure encrypted data transmission channel between the base station and the modem, and, in particular, it is used to transmit higher-layer NAS (Non-Access Stratum) protocol data. NAS represents the functional level of the 3G/UMTS protocol stack. Located between the user equipment (UE) and core network, it is responsible for signaling between them. This means that a remote code execution (RCE) vulnerability in RLC would allow an attacker to execute their own code on the modem, bypassing all existing 3G communication protection mechanisms.

The RLC protocol uses three different transmission modes: Transparent Mode (TM), Unacknowledged Mode (UM), and Acknowledged Mode (AM). We are only interested in UM, because in this mode the 3G standard allows both the segmentation of data and the concatenation of several small higher-layer data fragments (Protocol Data Units, PDU) into a single data link layer frame. This is done to maximize channel utilization. At the RLC level, packets are referred to as Service Data Units (SDU).

Among the approximately 75,000 different functions in the firmware, we found the function for handling an incoming SDU packet. When handling a received SDU packet, its header fields are parsed. The packet itself consists of a mandatory header, optional headers, and data. The number of optional headers is not limited. The end of the optional headers is indicated by the least significant bit (E bit) being equal to 0. The algorithm processes each header field sequentially, while their E-bits equal 1. During processing, data is written to a variable located on the stack of the calling function. The stack depth is 0xB4 bytes. The size of the packet that can be parsed (i.e., the number of headers, each header being a 2-byte entry on the stack) is limited by the SDU packet size of 0x5F0 bytes.

As a result, exploitation can be achieved using just one packet in which the number of headers exceeds the stack depth (90 headers). It is important to note that this particular function lacks a stack canary, and when the stack overflows, it is possible to overwrite the return address and some non-volatile register values in this function. However, overwriting is only possible with a value ending in one in binary (i.e., a value in which the least significant bit equals 1). Notably, execution takes place on ARM in Thumb mode, so all return addresses must have the least significant bit equal to 1. Coincidence? Perhaps.

In any case, sending the very first dummy SDU packet with the appropriate number of “correct” headers caused the device to reboot. However, at that moment, we had no way to obtain information on where and why the crash occurred (although we suspect the cause was an attempt to transfer control to the address 0xAABBCCDD, taken from our packet).

Gaining persistence in the system

The first and most important observation is that we know the pointer to the newly received SDU packet is stored in register R2. Return Oriented Programming (ROP) techniques can be used to execute our own code, but first we need to make sure it is actually possible.

We utilized the available AT command handler to move the data to RAM areas. Among the available AT commands, we found a suitable function – SPSERVICETYPE.

Next, we used ROP gadgets to overwrite the address 0x8CE56218 without disrupting the subsequent operation of the incoming SDU packet handling algorithm. To achieve this, it was sufficient to return to the function from which the SDU packet handler was called, because it was invoked as a callback, meaning there is no data linkage on the stack. Given that this function only added 0x2C bytes to the stack, we needed to fit within this size.

Having found a suitable ROP chain, we launched an SDU packet containing it as a payload. As a result, we saw the output 0xAABBCCDD in the AT command console for SPSERVICETYPE. Our code worked!

Next, by analogy, we input the address of the stack frame where our data was located, but it turned out not to be executable. We then faced the task of figuring out the MPU settings on the modem. Once again, using the ROP chain method, we generated code that read the MPU table, one DWORD at a time. After many iterations, we obtained the following table.

The table shows what we suspected – the code section is only mapped for execution. An attempt to change the configuration resulted in another ROP chain, but this same section was now mapped with write permissions in an unused slot in the table. Because of MPU programming features, specifically the presence of the overlap mechanism and the fact that a region with a higher ID has higher priority, we were able to write to this section.

All that remained was to use the pointer to our data (still stored in R2) and patch the code section that had just been unlocked for writing. The question was what exactly to patch. The simplest method was to patch the NAS protocol handler by adding our code to it. To do this, we used one of the NAS protocol commands – MM information. This allowed us to send a large amount of data at once and, in response, receive a single byte of data using the MM status command, which confirmed the patching success.

As a result, we not only successfully executed our own code on the modem side but also established full two-way communication with the modem, using the high-level NAS protocol as a means of message delivery. In this case, it was an MM Status packet with the cause field equaling 0xAA.

However, being able to execute our own code on the modem does not give us access to user data. Or does it?

The full version of the article with a detailed description of the development of an AR exploit that led to Doom being run on the head unit is available on ICS CERT website.

Two Apple zero-day vulnerabilities discovered this month have overlap with another mysterious zero-day flaw Google patched last week.

Fresh pennies may not be rolling out anymore, but your current stash is still usable.

MIT Technology Review Explains: Let our writers untangle the complex, messy world of technology to help you understand what’s coming next. You can read more from the series here.

In July, a widely cited MIT study claimed that 95% of organizations that invested in generative AI were getting “zero return.” Tech stocks briefly plunged. While the study itself was more nuanced than the headlines, for many it still felt like the first hard data point confirming what skeptics had muttered for months: Hype around AI might be outpacing reality.

Then, in August, OpenAI CEO Sam Altman said what everyone in Silicon Valley had been whispering. “Are we in a phase where investors as a whole are overexcited about AI?” he said during a press dinner I attended. “My opinion is yes.” 

---

This story is part of MIT Technology Review’s Hype Correction package, a series that resets expectations about what AI is, what it makes possible, and where we go next.

---

He compared the current moment to the dot-com bubble. “When bubbles happen, smart people get overexcited about a kernel of truth,” he explained. “Tech was really important. The internet was a really big deal. People got overexcited.” 

With those comments, it was off to the races. The next day’s stock market dip was attributed to the sentiment he shared. The question “Are we in an AI bubble?” became inescapable.

Who thinks it is a bubble? 

The short answer: Lots of people. But not everyone agrees on who or what is overinflated. Tech leaders are using this moment of fear to take shots at their rivals and position themselves as clear winners on the other side. How they describe the bubble depends on where their company sits.

When I asked Meta CEO Mark Zuckerberg about the AI bubble in September, he ran through the historical analogies of past bubbles—railroads, fiber for the internet, the dot-com boom—and noted that in each case, “the infrastructure gets built out, people take on too much debt, and then you hit some blip … and then a lot of the companies end up going out of business.”

But Zuckerberg’s prescription wasn’t for Meta to pump the brakes. It was to keep spending: “If we end up misspending a couple of hundred billion dollars, I think that that is going to be very unfortunate, obviously. But I’d say the risk is higher on the other side.”

Bret Taylor, the chairman of OpenAI and CEO of the AI startup Sierra, uses a mental model from the late ’90s to help navigate this AI bubble. “I think the closest analogue to this AI wave is the dot-com boom or bubble, depending on your level of pessimism,” he recently told me. Back then, he explained, everyone knew e-commerce was going to be big, but there was a massive difference between Buy.com and Amazon. Taylor and others have been trying to position themselves as today’s Amazon.

Still others are arguing that the pain will be widespread. Google CEO Sundar Pichai told the BBC this month that there’s “some irrationality” in the current boom. Asked whether Google would be immune to a bubble bursting, he warned, “I think no company is going to be immune, including us.”

What’s inflating the bubble?

Companies are raising enormous sums of money and seeing unprecedented valuations. Much of that money, in turn, is going toward the buildout of massive data centers—on which both private companies like OpenAI and Elon Musk’s xAI and public ones such as Meta and Google are spending heavily. OpenAI has pledged that it will spend $500 billion to build AI data centers, more than 15 times what was spent on the Manhattan Project.

This eye-popping spending on AI data centers isn’t entirely detached from reality. The leaders of the top AI companies all stress that they’re bottlenecked by their limited access to computing power. You hear it constantly when you talk to them. Startups can’t get the GPU allocations they need. Hyperscalers are rationing compute, saving it for their best customers.

If today’s AI market is as brutally supply-constrained as tech leaders claim, perhaps aggressive infrastructure buildouts are warranted. But some of the numbers are too large to comprehend. Sam Altman has told employees that OpenAI’s moonshot goal is to build 250 gigawatts of computing capacity by 2033, roughly equaling India’s total national electricity demand. Such a plan would cost more than $12 trillion by today’s standards.

“I do think there’s real execution risk,” OpenAI president and cofounder Greg Brockman recently told me about the company’s aggressive infrastructure goals. “Everything we say about the future, we see that it’s a possibility. It is not a certainty, but I don’t think the uncertainty comes from scientific questions. It’s a lot of hard work.”

Who is exposed, and who is to blame?

It depends on who you ask. During the August press dinner, where he made his market-moving comments, Altman was blunt about where he sees the excess. He said it’s “insane” that some AI startups with “three people and an idea” are receiving funding at such high valuations. “That’s not rational behavior,” he said. “Someone’s gonna get burned there, I think.” As Safe Superintelligence cofounder (and former OpenAI chief scientist and cofounder) Ilya Sutskever put it on a recent podcast: Silicon Valley has “more companies than ideas.”

Demis Hassabis, the CEO of Google DeepMind, offered a similar diagnosis when I spoke with him in November. “It feels like there’s obviously a bubble in the private market,” he said. “You look at seed rounds with just nothing being tens of billions of dollars. That seems a little unsustainable.”

Anthropic CEO Dario Amodei also struck at his competition during the New York Times DealBook Summit in early December. He said he feels confident about the technology itself but worries about how others are behaving on the business side: “On the economic side, I have my concerns where, even if the technology fulfills all its promises, I think there are players in the ecosystem who, if they just make a timing error, they just get it off by a little bit, bad things could happen.”

He stopped short of naming Sam Altman and OpenAI, but the implication was clear. “There are some players who are YOLOing,” he said. “Let’s say you’re a person who just kind of constitutionally wants to YOLO things or just likes big numbers. Then you may turn the dial too far.”

Amodei also flagged “circular deals,” or the increasingly common arrangements where chip suppliers like Nvidia invest in AI companies that then turn around and spend those funds on their chips. Anthropic has done some of these, he said, though “not at the same scale as some other players.” (OpenAI is at the center of a number of such deals, as are Nvidia, CoreWeave, and a roster of other players.) 

The danger, he explained, comes when the numbers get too big: “If you start stacking these where they get to huge amounts of money, and you’re saying, ’By 2027 or 2028 I need to make $200 billion a year,’ then yeah, you can overextend yourself.”

Zuckerberg shared a similar message at an internal employee Q&A session after Meta’s last earnings call. He noted that unprofitable startups like OpenAI and Anthropic risk bankruptcy if they misjudge the timing of their investments, but Meta has the advantage of strong cash flow, he reassured staff.

How could a bubble burst?

My conversations with tech executives and investors suggest that the bubble will be most likely to pop if overfunded startups can’t turn a profit or grow into their lofty valuations. This bubble could last longer than than past ones, given that private markets aren’t traded on public markets and therefore move more slowly, but the ripple effects will still be profound when the end comes. 

If companies making grand commitments to data center buildouts no longer have the revenue growth to support them, the headline deals that have propped up the stock market come into question. Anthropic’s Amodei illustrated the problem during his DealBook Summit appearance, where he said the multi-year data center commitments he has to make combine with the company’s rapid, unpredictable revenue growth rate to create a “cone of uncertainty” about how much to spend.

The two most prominent private players in AI, OpenAI and Anthropic, have yet to turn a profit. A recent Deutsche Bank chart put the situation in stark historical context. Amazon burned through $3 billion before becoming profitable. Tesla, around $4 billion. Uber, $30 billion. OpenAI is projected to burn through $140 billion by 2029, while Anthropic is expected to burn $20 billion by 2027.

Consultants at Bain estimate that the wave of AI infrastructure spending will require $2 trillion in annual AI revenue by 2030 just to justify the investment. That’s more than the combined 2024 revenue of Amazon, Apple, Alphabet, Microsoft, Meta, and Nvidia. When I talk to leaders of these large tech companies, they all agree that their sprawling businesses can absorb an expensive miscalculation about the returns from their AI infrastructure buildouts. It’s all the other companies that are either highly leveraged with debt or just unprofitable—even OpenAI and Anthropic—that they worry about. 

Still, given the level of spending on AI, it still needs a viable business model beyond subscriptions, which won’t be able to  drive profits from billions of people’s eyeballs like the ad-driven businesses that have defined the last 20 years of the internet. Even the largest tech companies know they need to ship the world-changing agents they keep hyping: AI that can fully replace coworkers and complete tasks in the real world.

For now, investors are mostly buying into the hype of the powerful AI systems that these data center buildouts will supposedly unlock in the future. At some point the biggest spenders, like OpenAI, will need to show investors that the money spent on the infrastructure buildout was worth it.

There’s also still a lot of uncertainty about the technical direction that AI is heading in. LLMs are expected to remain critical to more advanced AI systems, but industry leaders can’t seem to agree on which additional breakthroughs are needed to achieve artificial general intelligence, or AGI. Some are betting on new kinds of AI that can understand the physical world, while others are focused on training AI to learn in a general way, like a human. In other words, what if all this unprecedented spending turns out to have been backing the wrong horse?

The question now

What makes this moment surreal is the honesty. The same people pouring billions into AI will openly tell you it might all come crashing down. 

Taylor framed it as two truths existing at once. “I think it is both true that AI will transform the economy,” he told me, “and I think we’re also in a bubble, and a lot of people will lose a lot of money. I think both are absolutely true at the same time.”

He compared it to the internet. Webvan failed, but Instacart succeeded years later with essentially the same idea. If you were an Amazon shareholder from its IPO to now, you’re looking pretty good. If you were a Webvan shareholder, you probably feel differently. 

“When the dust settles and you see who the winners are, society benefits from those inventions,” Amazon founder Jeff Bezos said in October. “This is real. The benefit to society from AI is going to be gigantic.”

Goldman Sachs says the AI boom now looks the way tech stocks did in 1997, several years before the dot-com bubble actually burst. The bank flagged five warning signs seen in the late 1990s that investors should watch now: peak investment spending, falling corporate profits, rising corporate debt, Fed rate cuts, and widening credit spreads. We’re probably not at 1999 levels yet. But the imbalances are building fast. Michael Burry, who famously called the 2008 housing bubble collapse (as seen in the film The Big Short), recently compared the AI boom to the 1990s dot-com bubble too.

Maybe AI will save us from our own irrational exuberance. But for now, we’re living in an in-between moment when everyone knows what’s coming but keeps blowing more air into the balloon anyway. As Altman put it that night at dinner: “Someone is going to lose a phenomenal amount of money. We don’t know who.”

Alex Heath is the author of Sources, a newsletter about the AI race, and the cohost of ACCESS, a podcast about the tech industry’s inside conversations. Previously, he was deputy editor at The Verge.

Transforming Gaming: The Power of Tokenization Platforms

The gaming industry has experienced a remarkable evolution over the past decade, transitioning from simple console and PC-based games to complex online, multiplayer, and immersive digital experiences. As technology continues to advance, the integration of blockchain and tokenization is redefining how players, developers, and investors interact within the gaming ecosystem. Tokenization platforms are at the heart of this transformation, providing the infrastructure to create, manage, and trade digital assets securely on the blockchain.

Traditionally, gamers invested significant time and money in virtual assets skins, weapons, characters but had no ownership rights. These assets were controlled by centralized game servers, meaning players could lose them at any time. Tokenization changes this dynamic by converting in-game items, characters, currency, and even digital land into blockchain-based tokens, giving players provable ownership and the ability to trade these assets freely.

Understanding Tokenization Platforms in Gaming

A tokenization platform in gaming is a blockchain-based infrastructure that allows in-game assets to be digitized as tokens. Each token represents ownership, utility, or value within a game or across multiple games. Tokenization enables players to truly own their assets, transfer them, trade them on secondary markets, and even leverage them for financial activities such as lending or staking.

Tokenization platforms typically include:

• NFT Minting Capabilities: Converting unique assets like skins, characters, or items into non-fungible tokens (NFTs).
• Marketplace Integration: Providing a platform for buying, selling, or trading tokenized assets.
• Smart Contract Functionality: Automating rules for ownership, transactions, royalties, and scarcity.
• Cross-Game Compatibility: Enabling assets to be used across multiple games or metaverses.

By creating a secure and transparent tokenized ecosystem, gaming platforms enhance both player engagement and economic opportunities within the digital space.

Key Ways Tokenization Platforms Transform Gaming

1. True Ownership of Digital Assets

Traditionally, in-game assets are controlled by game developers and remain locked within the platform. Players often purchase items, currency, or skins without legal ownership. Tokenization platforms shift this model, granting players verifiable ownership of assets via blockchain. Players can hold, transfer, or trade their assets independently, establishing a digital property rights system within gaming ecosystems.

2. Monetization Opportunities for Players

Tokenization enables players to earn tangible value from in-game activities. Through tokenized assets, players can:

• Trade rare items or skins on secondary markets for cryptocurrency or fiat.
• Lease virtual assets to other players or developers.
• Participate in play-to-earn (P2E) models where game performance translates into token rewards.

This economic layer incentivizes active engagement, rewards skill and creativity, and blurs the line between entertainment and investment.

3. Enhanced Developer Revenue Streams

For developers, tokenization platforms offer new ways to monetize games beyond traditional purchases or subscriptions:

• NFT sales or initial asset offerings provide immediate capital.
• Smart contract-enforced royalties ensure developers earn a percentage of secondary market trades.
• Virtual real estate, digital assets, and branded items can generate recurring revenue.

Tokenization aligns incentives between developers and players, creating a mutually beneficial ecosystem.

4. Interoperability Across Games and Metaverses

Tokenization platforms facilitate cross-platform asset usage. Players can move their NFTs or tokens between compatible games, metaverses, or virtual experiences. Interoperable assets increase their utility and value, encouraging broader adoption and creating interconnected digital ecosystems where players retain control of their assets.

5. Transparency and Security

Blockchain-based tokenization provides transparent and immutable records of asset ownership and transaction history. Players and developers can verify authenticity, track transfers, and prevent duplication or fraud. Security features inherent to blockchain reduce risks of hacking, unauthorized modifications, or asset theft.

6. Community-Driven Development and Governance

Tokenization platforms often integrate governance mechanisms through native tokens or NFTs. Players can participate in decision-making, vote on in-game updates, and influence ecosystem development. This decentralized model empowers communities, fosters loyalty, and encourages long-term engagement.

Benefits of Tokenization Platforms in Gaming

Tokenization platforms offer transformative benefits for both players and developers, fundamentally changing the gaming experience.

True Ownership for Players

Tokenization gives players verifiable ownership of their in-game assets. Unlike traditional games, where developers control and can revoke access to assets, blockchain-based tokens allow players to maintain control, trade freely, and even derive real-world value from virtual items. This ownership fosters a stronger sense of investment and engagement, encouraging players to participate more actively in the game.

Monetization Opportunities

Tokenized assets create real economic opportunities for players and developers. Players can sell, trade, or rent their in-game items or digital land, generating income from their gaming activities. Developers benefit from fees on secondary market transactions, asset creation, or token sales, creating sustainable revenue streams beyond traditional game purchases or subscriptions.

Enhanced Engagement and Loyalty

By providing ownership and monetization incentives, tokenization platforms increase player engagement and loyalty. Players are more likely to invest time and resources in games where their contributions have lasting value. This transforms gaming from a purely recreational activity into an immersive, strategic, and economically rewarding experience.

Global Accessibility

Tokenization enables players worldwide to participate in gaming economies without relying on traditional financial systems. Blockchain allows cross-border transactions, making it easier for international players to buy, sell, or trade assets. This global accessibility expands the player base and fosters a diverse, interconnected gaming community.

Scarcity and Value Creation

Tokenization introduces verifiable scarcity, which enhances the perceived value of in-game assets. Rare items, unique avatars, or limited virtual land plots gain tangible value as digital collectibles, similar to physical luxury goods. Scarcity also incentivizes early participation, rewarding players and investors who engage with tokenized ecosystems early.

Transforming the Gaming Industry: Real-World Examples

Tokenization platforms have already begun transforming the gaming industry through innovative models.

Play-to-Earn Models

Games like Axie Infinity leverage tokenization to create play-to-earn ecosystems. Players earn tokens by battling, breeding, or trading NFT characters. Tokenization platforms secure these transactions, verify ownership, and enable marketplace trading, transforming in-game achievements into real-world income opportunities.

Digital Real Estate and Metaverses

Platforms like The Sandbox and Decentraland tokenize virtual land, allowing players to purchase, develop, and monetize plots. Landowners can host events, rent space to other players, or create immersive experiences. Tokenization ensures secure ownership and trade, transforming digital land into a valuable, scarce, and tradable asset class within gaming ecosystems.

Cross-Platform Assets

Emerging platforms support cross-game asset usage. NFTs minted in one game can appear in other compatible games or ecosystems, expanding utility and value. For example, a sword or character NFT could function as both a weapon in one game and a collectible in another, increasing the asset’s liquidity and desirability.

Challenges and Considerations

Despite the benefits, tokenization platforms in gaming face certain challenges:

• Regulatory Uncertainty: Digital assets may fall under securities, taxation, or gambling regulations in different jurisdictions.
• Market Volatility: The value of tokenized assets can fluctuate significantly, affecting player investment and ecosystem stability.
• Technical Complexity: Implementing tokenization requires blockchain expertise, secure smart contracts, and robust infrastructure.
• User Adoption: Players unfamiliar with blockchain may face learning curves, requiring intuitive design and onboarding.
• Environmental Concerns: Certain blockchain protocols consume significant energy, necessitating eco-friendly alternatives.

Careful planning, legal compliance, and secure technological implementation are essential for sustainable adoption.

The Future of Gaming Tokenization Platforms

The potential of tokenization platforms in gaming continues to expand:

• Integration with DeFi: Players may use tokenized assets as collateral for loans, staking, or decentralized financial services.
• AI-Enhanced Gameplay: AI can dynamically adjust gameplay or asset rarity based on token data.
• Cross-Metaverse Economies: Tokenized assets may flow between multiple virtual worlds, creating unified digital economies.
• Corporate and Brand Participation: Brands may issue virtual assets or sponsor events on tokenized platforms, enhancing marketing and engagement.
• Sustainability Innovations: Layer-2 solutions and energy-efficient blockchains will reduce the environmental impact of tokenization.

The convergence of gaming, blockchain, and tokenization points toward immersive, player-driven economies where digital assets carry real-world value.

Conclusion

Tokenization platforms are redefining the gaming industry by providing true asset ownership, decentralized economies, and new monetization opportunities. Players become stakeholders, creators, and entrepreneurs, while developers benefit from robust engagement and sustainable revenue streams.

By bridging blockchain technology with gaming, tokenization platforms transform virtual worlds into immersive, player-driven economies. While challenges remain, the potential for innovation, inclusion, and economic growth positions tokenization platforms as a cornerstone of the future gaming landscape.

---

How a Tokenization Platform Can Transform the Gaming Industry was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

iPad users also won't need to go elsewhere for their AI needs.

Wiz disclosed a still-unpatched vulnerability in self-hosted Git service Gogs, which is a bypass for a previous RCE bug disclosed last year.

With support from Microsoft, Stripe, and Shopify, Running Tide billed itself as on the cutting edge of carbon removal. In the end, it resorted to dumping thousands of tons of wood chips in the sea.

A new twist on the social engineering tactic is making waves, combining SEO poisoning and legitimate AI domains to install malware on victims' computers.

Tokenization is transforming how assets are bought and sold

Real-world asset tokenization has rapidly emerged as one of the most transformative innovations in digital finance. By converting physical and traditional financial assets into blockchain-based tokens, this model is reshaping how assets are bought, sold, traded, and owned. From real estate and commodities to private credit, fine art, intellectual property, and even carbon credits, tokenization introduces a level of liquidity, transparency, and accessibility previously unattainable in conventional markets. As global institutions, enterprises, and investors continue to explore tokenized asset ecosystems, the shift is redefining fundamental market structures and creating entirely new opportunities for capital formation and economic participation.

Understanding Real-World Asset Tokenization

Real-world asset tokenization is the process of creating digital representations of physical or financial assets on a blockchain. These tokens are programmable and can be traded, split, or bundled to reflect ownership, usage rights, or revenue entitlements. For example, a tokenized piece of real estate could provide holders with rental income and appreciation proportional to their ownership share, while a tokenized commodity like gold could represent fractional ownership of the physical asset stored in a vault.

Tokenization can be applied to a wide range of assets, including:

• Real estate: Residential, commercial, and vacation properties.
• Commodities: Precious metals, oil, or agricultural products.
• Financial instruments: Bonds, equities, and alternative investment funds.
• Art and collectibles: High-value paintings, sculptures, and rare items.

Why Traditional Ownership and Trade Models Limit Market Efficiency

Most real-world assets — such as real estate, private equity, luxury goods, or commodities — are inherently illiquid. Traditional frameworks for buying or selling these assets include:

• lengthy due diligence and documentation processes
• high minimum investment thresholds
• multiple intermediaries, each adding cost and delay
• limited access to global buyers and sellers
• regulatory barriers associated with cross-border transactions

These frictions restrict market participation and result in inefficient capital flow. Investors struggle to access attractive alternative asset classes, while asset owners find it difficult to unlock liquidity without selling the entire property or security.

How Tokenization Changes the Buying and Selling of Assets

1. Transactions Become Faster and More Efficient

Traditional asset transfers depend on clearinghouses, brokers, custodians, and legal verifications. These layers create delays that extend settlement times from days to weeks. Tokenization collapses these steps into a single blockchain transaction validated within seconds.

• Real estate transfers no longer require lengthy title searches
• Bond settlements move from T+2 to near-instant
• Commodity ownership can shift without physical documentation
• Private equity shares can be transferred digitally without complex approval processes

The use of smart contracts further automates compliance, payments, and settlement, removing human error and minimizing administrative workloads. The resulting efficiency reshapes how markets function, enabling higher transaction volumes and greater capital mobility.

2. Fractional Ownership Expands Investor Participation

One of the most impactful changes in asset markets is the introduction of fractional ownership through tokenization. By dividing assets into smaller units, tokenization lowers entry barriers and democratizes access.

Fractionalization enables:

• A retail investor to buy $100 worth of a commercial building instead of the full $10 million property
• Ownership of rare art pieces or luxury goods by multiple investors
• Participation in corporate equity or private funds with small minimum investments
• Commodity investments without requiring entire lots or warehouses

This transformation increases market depth and unlocks demand from investors previously priced out of the market. It also enables diversified portfolios, as individuals can allocate capital across multiple high-value assets without needing significant funds.

3. Enhanced Liquidity Through 24/7 Token Markets

Traditionally, many real-world assets suffer from low liquidity. Real estate, private equity, fine art, and collectibles are difficult to sell quickly without heavy price discounts. Tokenization counters this limitation by enabling continuous, global trading of asset-backed tokens.

Token marketplaces and regulated digital exchanges allow tokens to be bought and sold around the clock, similar to cryptocurrencies. This liquidity reduces the inefficiencies associated with long holding periods and creates new liquidity pathways for asset owners.

4. Global Accessibility and Cross-Border Transactions

Tokenization removes geographic barriers by making assets accessible to global investors through decentralized blockchain networks. Investors from any region can participate in tokenized markets, provided regulatory frameworks allow it.

This global reach:

• Expands investor pools
• Reduces dependency on local capital markets
• Allows assets to be priced more efficiently
• Enhances market competition

For asset owners, tokenization provides access to capital far beyond local markets, enabling more favorable price discovery and investment opportunities.

5. Transparent Ownership and Reduced Fraud

Blockchain’s immutable ledger records every transaction, providing a transparent and tamper-proof record of ownership. This visibility reduces prevalence of fraud, title disputes, or double-selling of assets.

In sectors such as supply chain, luxury goods, and commodities, tokenization ensures authenticity and verification at each stage of the asset’s lifecycle. Transparent records reduce operational risks and improve trust among investors, regulators, and asset handlers.

6. Programmable Assets and Smart Contract Automation

Tokenized assets become programmable, meaning their behavior, conditions, and rights can be embedded directly into the code through smart contracts. These programmable functions include:

• Automatic distribution of rental income or dividends
• Enforcement of compliance rules
• Real-time valuation updates
• Automated vesting schedules
• Collateral liquidation procedures

Programmability replaces manual processes and enhances the functionality of assets beyond traditional models.

Benefits of Tokenizing Real-World Assets

1. Democratization of Investment

By enabling fractional ownership and global accessibility, tokenization democratizes investment opportunities. Small investors can now gain exposure to high-value assets, diversifying their portfolios without the need for large capital commitments. Democratization also promotes inclusivity and allows participation from regions previously excluded from certain markets.

2. Enhanced Market Liquidity

Tokenized assets are tradable on secondary markets, enabling faster and more flexible buying and selling. This liquidity attracts a larger investor base and facilitates better price discovery, creating more efficient markets for previously illiquid assets.

3. Transparency and Trust

Blockchain’s transparent ledger ensures investors have access to real-time ownership and transaction data. Automated compliance and smart contracts reduce operational risk and build trust among participants, encouraging greater investment activity.

4. Lower Barriers to Entry

High-value assets that were traditionally restricted to institutional investors are now accessible to smaller participants. This opens up opportunities for diversified investment strategies and allows more people to participate in wealth creation.

5. Efficient Capital Raising for Asset Owners

Asset owners can raise capital more efficiently by tokenizing their assets and selling tokens directly to investors. This reduces dependence on traditional financing methods, cuts costs, and accelerates the fundraising process.

Real-World Examples of Tokenized Assets

1. Real Estate: Platforms like RealT and Slice RE tokenize residential and commercial properties, allowing investors to purchase fractional ownership and earn rental income or appreciation.
2. Commodities: Gold and other precious metals have been tokenized, enabling investors to own fractions of physical commodities without storing or transporting them.
3. Art and Collectibles: Tokenization platforms allow fractional ownership of artworks and rare collectibles, giving investors exposure to valuable assets with lower capital requirements.
4. Bonds and Securities: Tokenized bonds and equity shares are traded on blockchain networks, offering improved liquidity, faster settlement, and lower operational costs.

Challenges and Considerations

Despite its benefits, real-world asset tokenization faces several challenges:

1. Regulatory Uncertainty

The regulatory environment for tokenized assets is still evolving. Different jurisdictions have varying rules regarding securities, property ownership, and digital assets. Compliance with KYC/AML regulations and securities laws is critical, and uncertainty can slow adoption.

2. Market Adoption

Tokenization is still relatively new, and investors may be hesitant to adopt it without understanding the technology or market dynamics. Education and awareness are crucial to wider adoption.

3. Technology Risks

While blockchain is secure, smart contracts and token platforms must be thoroughly audited to prevent coding errors, security breaches, or vulnerabilities that could compromise investor funds.

4. Valuation and Pricing

Determining the accurate value of tokenized assets can be challenging, especially for illiquid or non-standard assets. Transparent and reliable valuation mechanisms are essential for investor confidence and market efficiency.

Future Outlook

The potential of real-world asset tokenization is vast. Some trends shaping the future include:

• Integration with DeFi Platforms: Tokenized assets may be used as collateral in decentralized finance ecosystems, enabling lending, borrowing, and liquidity pooling.
• Expansion Across Asset Classes: Beyond real estate and commodities, tokenization will likely include infrastructure, intellectual property, and private equity.
• Globalized Investment Platforms: Cross-border tokenized asset trading will become more seamless, enhancing market liquidity and access.
• Institutional Participation: Institutional investors are expected to adopt tokenization for portfolio diversification, capital efficiency, and improved liquidity management.
• Smart Contract Innovations: More sophisticated contracts will automate governance, compliance, and profit distribution, reducing operational complexity and risk.

As technology matures and regulatory frameworks stabilize, tokenization has the potential to become a mainstream approach for buying, selling, and managing assets.

Conclusion

Real-world asset tokenization is transforming how physical and financial assets are bought, sold, and managed by converting them into digital tokens. This process enables fractional ownership, enhances liquidity, lowers entry barriers, and increases transparency and efficiency, giving investors greater flexibility, global access, and faster transactions while allowing asset owners to raise capital more efficiently and reach broader markets. Although challenges such as regulatory uncertainty, technological risks, and adoption hurdles remain, the advantages are clear, and as blockchain adoption grows, tokenization is poised to make previously illiquid assets accessible, tradable, and inclusive for investors worldwide.

---

How Real-World Asset Tokenization Is Changing the Way Assets Are Bought and Sold was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

Leaders from the U.S. Air Force, partnering nations and community members gathered for a traditional "push ceremony," marking the official beginning of Operation Christmas Drop 2025 at Andersen Air Force Base, Guam.

Following its announcement of tougher safety rules, Reddit is swiftly moving to contest the Australian law in court.

Shanya is the latest in an emerging field of packing malware, selling obfuscation functionality in order to help ransomware actors reach their target.

The new Australian law keeping children under 16 off of social media was bound to face legal scrutiny.

The US Treasury's Financial Crimes Enforcement Network shared data showing how dramatically ransomware attacks have changed over time.

A maximum-severity vulnerability affecting the React JavaScript library has been exploited in the wild, further stressing the need to patch now.

Global cybersecurity agencies published guidance regarding AI deployments in operational technology, a backbone of critical infrastructure.

The suit alleges the Chinese retailer's app secretly accesses and harvests users' sensitive information without their knowledge or consent.

In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vulnerabilities and exploits, the most common security issues impacting Windows and Linux, and the vulnerabilities being leveraged in APT attacks that lead to the launch of widespread C2 frameworks. The report utilizes anonymized Kaspersky Security Network data, which was consensually provided by our users, as well as information from open sources.

Statistics on registered vulnerabilities

This section contains statistics on registered vulnerabilities. The data is taken from cve.org.

Let us consider the number of registered CVEs by month for the last five years up to and including the third quarter of 2025.

Total published vulnerabilities by month from 2021 through 2025 (download)

As can be seen from the chart, the monthly number of vulnerabilities published in the third quarter of 2025 remains above the figures recorded in previous years. The three-month total saw over 1000 more published vulnerabilities year over year. The end of the quarter sets a rising trend in the number of registered CVEs, and we anticipate this growth to continue into the fourth quarter. Still, the overall number of published vulnerabilities is likely to drop slightly relative to the September figure by year-end

A look at the monthly distribution of vulnerabilities rated as critical upon registration (CVSS > 8.9) suggests that this metric was marginally lower in the third quarter than the 2024 figure.

Total number of critical vulnerabilities published each month from 2021 to 2025 (download)

Exploitation statistics

This section contains exploitation statistics for Q3 2025. The data draws on open sources and our telemetry.

Windows and Linux vulnerability exploitation

In Q3 2025, as before, the most common exploits targeted vulnerable Microsoft Office products.

Most Windows exploits detected by Kaspersky solutions targeted the following vulnerabilities:

• CVE-2018-0802: a remote code execution vulnerability in the Equation Editor component
• CVE-2017-11882: another remote code execution vulnerability, also affecting Equation Editor
• CVE-2017-0199: a vulnerability in Microsoft Office and WordPad that allows an attacker to assume control of the system

These vulnerabilities historically have been exploited by threat actors more frequently than others, as discussed in previous reports. In the third quarter, we also observed threat actors actively exploiting Directory Traversal vulnerabilities that arise during archive unpacking in WinRAR. While the originally published exploits for these vulnerabilities are not applicable in the wild, attackers have adapted them for their needs.

• CVE-2023-38831: a vulnerability in WinRAR that involves improper handling of objects within archive contents We discussed this vulnerability in detail in a 2024 report.
• CVE-2025-6218 (ZDI-CAN-27198): a vulnerability that enables an attacker to specify a relative path and extract files into an arbitrary directory. A malicious actor can extract the archive into a system application or startup directory to execute malicious code. For a more detailed analysis of the vulnerability, see our Q2 2025 report.
• CVE-2025-8088: a zero-day vulnerability similar to CVE-2025-6128, discovered during an analysis of APT attacks The attackers used NTFS Streams to circumvent controls on the directory into which files were unpacked. We will take a closer look at this vulnerability below.

It should be pointed out that vulnerabilities discovered in 2025 are rapidly catching up in popularity to those found in 2023.

All the CVEs mentioned can be exploited to gain initial access to vulnerable systems. We recommend promptly installing updates for the relevant software.

Dynamics of the number of Windows users encountering exploits, Q1 2023 — Q3 2025. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

According to our telemetry, the number of Windows users who encountered exploits increased in the third quarter compared to the previous reporting period. However, this figure is lower than that of Q3 2024.

For Linux devices, exploits for the following OS kernel vulnerabilities were detected most frequently:

• CVE-2022-0847, also known as Dirty Pipe: a vulnerability that allows privilege escalation and enables attackers to take control of running applications
• CVE-2019-13272: a vulnerability caused by improper handling of privilege inheritance, which can be exploited to achieve privilege escalation
• CVE-2021-22555: a heap overflow vulnerability in the Netfilter kernel subsystem. The widespread exploitation of this vulnerability is due to its use of popular memory modification techniques: manipulating “msg_msg” primitives, which leads to a Use-After-Free security flaw.

Dynamics of the number of Linux users encountering exploits, Q1 2023 — Q3 2025. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

A look at the number of users who encountered exploits suggests that it continues to grow, and in Q3 2025, it already exceeds the Q1 2023 figure by more than six times.

It is critically important to install security patches for the Linux operating system, as it is attracting more and more attention from threat actors each year – primarily due to the growing number of user devices running Linux.

Most common published exploits

In Q3 2025, exploits targeting operating system vulnerabilities continue to predominate over those targeting other software types that we track as part of our monitoring of public research, news, and PoCs. That said, the share of browser exploits significantly increased in the third quarter, matching the share of exploits in other software not part of the operating system.

Distribution of published exploits by platform, Q1 2025 (download)

Distribution of published exploits by platform, Q2 2025 (download)

Distribution of published exploits by platform, Q3 2025 (download)

It is noteworthy that no new public exploits for Microsoft Office products appeared in Q3 2025, just as none did in Q2. However, PoCs for vulnerabilities in Microsoft SharePoint were disclosed. Since these same vulnerabilities also affect OS components, we categorized them under operating system vulnerabilities.

Vulnerability exploitation in APT attacks

We analyzed data on vulnerabilities that were exploited in APT attacks during Q3 2025. The following rankings draw on our telemetry, research, and open-source data.

TOP 10 vulnerabilities exploited in APT attacks, Q3 2025 (download)

APT attacks in Q3 2025 were dominated by zero-day vulnerabilities, which were uncovered during investigations of isolated incidents. A large wave of exploitation followed their public disclosure. Judging by the list of software containing these vulnerabilities, we are witnessing the emergence of a new go-to toolkit for gaining initial access into infrastructure and executing code both on edge devices and within operating systems. It bears mentioning that long-standing vulnerabilities, such as CVE-2017-11882, allow for the use of various data formats and exploit obfuscation to bypass detection. By contrast, most new vulnerabilities require a specific input data format, which facilitates exploit detection and enables more precise tracking of their use in protected infrastructures. Nevertheless, the risk of exploitation remains quite high, so we strongly recommend applying updates already released by vendors.

C2 frameworks

In this section, we will look at the most popular C2 frameworks used by threat actors and analyze the vulnerabilities whose exploits interacted with C2 agents in APT attacks.

The chart below shows the frequency of known C2 framework usage in attacks on users during the third quarter of 2025, according to open sources.

Top 10 C2 frameworks used by APT groups to compromise user systems in Q3 2025 (download)

Metasploit, whose share increased compared to Q2, tops the list of the most prevalent C2 frameworks from the past quarter. It is followed by Sliver and Mythic. The Empire framework also reappeared on the list after being inactive in the previous reporting period. What stands out is that Adaptix C2, although fairly new, was almost immediately embraced by attackers in real-world scenarios. Analyzed sources and samples of malicious C2 agents revealed that the following vulnerabilities were used to launch them and subsequently move within the victim’s network:

• CVE-2020-1472, also known as ZeroLogon, allows for compromising a vulnerable operating system and executing commands as a privileged user.
• CVE-2021-34527, also known as PrintNightmare, exploits flaws in the Windows print spooler subsystem, also enabling remote access to a vulnerable OS and high-privilege command execution.
• CVE-2025-6218 or CVE-2025-8088 are similar Directory Traversal vulnerabilities that allow extracting files from an archive to a predefined path without the archiving utility notifying the user. The first was discovered by researchers but subsequently weaponized by attackers. The second is a zero-day vulnerability.

Interesting vulnerabilities

This section highlights the most noteworthy vulnerabilities that were publicly disclosed in Q3 2025 and have a publicly available description.

ToolShell (CVE-2025-49704 and CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771): insecure deserialization and an authentication bypass

ToolShell refers to a set of vulnerabilities in Microsoft SharePoint that allow attackers to bypass authentication and gain full control over the server.

• CVE-2025-49704 involves insecure deserialization of untrusted data, enabling attackers to execute malicious code on a vulnerable server.
• CVE-2025-49706 allows access to the server by bypassing authentication.
• CVE-2025-53770 is a patch bypass for CVE-2025-49704.
• CVE-2025-53771 is a patch bypass for CVE-2025-49706.

These vulnerabilities form one of threat actors’ combinations of choice, as they allow for compromising accessible SharePoint servers with just a few requests. Importantly, they were all patched back in July, which further underscores the importance of promptly installing critical patches. A detailed description of the ToolShell vulnerabilities can be found in our blog.

CVE-2025-8088: a directory traversal vulnerability in WinRAR

CVE-2025-8088 is very similar to CVE-2025-6218, which we discussed in our previous report. In both cases, attackers use relative paths to trick WinRAR into extracting archive contents into system directories. This version of the vulnerability differs only in that the attacker exploits Alternate Data Streams (ADS) and can use environment variables in the extraction path.

CVE-2025-41244: a privilege escalation vulnerability in VMware Aria Operations and VMware Tools

Details about this vulnerability were presented by researchers who claim it was used in real-world attacks in 2024.

At the core of the vulnerability lies the fact that an attacker can substitute the command used to launch the Service Discovery component of the VMware Aria tooling or the VMware Tools utility suite. This leads to the unprivileged attacker gaining unlimited privileges on the virtual machine. The vulnerability stems from an incorrect regular expression within the get-versions.sh script in the Service Discovery component, which is responsible for identifying the service version and runs every time a new command is passed.

Conclusion and advice

The number of recorded vulnerabilities continued to rise in Q3 2025, with some being almost immediately weaponized by attackers. The trend is likely to continue in the future.

The most common exploits for Windows are primarily used for initial system access. Furthermore, it is at this stage that APT groups are actively exploiting new vulnerabilities. To hinder attackers’ access to infrastructure, organizations should regularly audit systems for vulnerabilities and apply patches in a timely manner. These measures can be simplified and automated with Kaspersky Systems Management. Kaspersky Symphony can provide comprehensive and flexible protection against cyberattacks of any complexity.